The present invention relates to systems and methods for authenticating transactions conducted by parties over open electronic networks such as the Internet. In particular, the invention relates to authentication of Internet transactions in which customers charge payments to credit or debit cards.
E-commerce is now popular. Conducting transactions over electronic networks such as the Internet has the now oft-stated advantages of convenience, lower costs, market reach and choice, for both merchants and customers. However, the anonymity of the Internet brings to a commercial or retail sale the issues of fraud and misuse. A transacting merchant has a desire to authenticate the sale, certify the sale, confirm the sale, ensure non-repudiation of the sale, ensure payment, and control anonymity. Similarly, a buyer has a desire to control authentication of the sale, integrity of the sale, recourse of a bad sale, confirmation of the sale, privacy, and anonymity.
Commonly invented and co-owned International patent application WO03073389, which is hereby incorporated by reference in its entirety herein, describes a network payment system for authenticating the customer in a customer-merchant transaction conducted over the Internet. The Internet links a merchant server and a customer terminal to a payment server. The customer uses an Integrated Circuit Card (ICC) as an identification device. The ICC is in communication with the customer terminal via a card reader. The ICC generates a cryptogram in response to information about a pending transaction. This information may be a challenge message generated by the customer terminal. The card reader converts a portion of the cryptogram generated by the ICC into a unique authentication token, which then can be transmitted over the Internet, for example, to the payment server, to authenticate the customer.
Another Internet payment system, which relies on a “smart” chip card for payment of goods and/or services purchased over the Internet, is described in Davis et al. U.S. Pat. No. 6,282,522. The ICC and other smart cards may be based on common industry specifications (e.g., EMV standards developed jointly by Europay International, Mastercard International and Visa International) to enable interoperability across various payment systems.
Card issuers and other financial institutions now offer or use standardized Internet transaction protocols to improve on-line transaction performance and to accelerate the growth of electronic commerce. Under some standardized protocols (e.g., 3-D Secure™ Protocol developed by Visa International) card issuers or issuing banks may authenticate transactions thereby reducing the likelihood of fraud and associated chargebacks attributed to cardholder not-authorized transactions. The presence of an authenticated transaction may result in an issuer assuming liability for fraud should it occur despite efforts to authenticate the cardholder during an online purchase. Merchants are assured by card issuers or issuing banks that they will be paid for issuer-authenticated transactions. The 3-D Secure™ protocol is consistent with and underlies the authentication programs offered by card issuers (e.g., Verified by Visa or MasterCard SecureCode™) to authenticate customers for merchants during remote transactions such as those associated with the Internet. The 3-D Secure™ Protocol leverages existing Secure Sockets layer (SSL) encryption functionality and provides enhanced security through issuer authentication of the cardholder during the online shopping session. A piece of software called the Merchant Plug In (MPI) is used by participating merchants to exchange messages, pass information and query participants in order to establish an authentication session between the cardholder and their card issuer during an online purchase.
The 3-D Secure Protocol services are based on a three-domain model—the issuer domain, acquirer and interoperability domain. The issuer is responsible for managing the enrollment of cardholders in the service, and for authenticating cardholders during on-line transactions. The Acquirer is responsible for defining procedures so that merchants participating in Internet transactions operate under an agreement with the Acquirer, and for providing back end processing for authenticated transactions. The Interoperability domain facilitates the transaction exchange between the other two domains with a common protocol and shared services. Cardholders and their banks may come under “Issuer Domain”, merchants and their banks may come under the “Acquirer Domain”. Communication between issuing and acquiring banks or financial institutions and card issuer infrastructure may come under “Interoperability Domain”. While transacting with 3-D Secure compliant banks and merchants, a consumer may have the same Internet shopping experience as previously, except that there is a separate authentication window or pop-up screen from the cardholder's bank to determine if the transacting party is indeed the cardholder of record. The transaction flow for an on-line Internet purchase transaction under the protocol may be as follows:    (1) Customers fill in payment data at Merchant web sites in the usual fashion, via an encrypted Secure Sockets Layer (SSL) connection.    (2) The Merchant then sends a message through an MPI to a Directory which in turn queries the card issuer to find out whether the customer is enrolled in the 3-D Secure program.    (3) The card issuer responds to the Directory with a message indicating whether the cardholder is enrolled and, if so, provides a Web address for the bank that issued the card. This message is then processed and a response forwarded to the Merchant.    (4) The Merchant then sends a message to the issuing bank, through the cardholder device, to initiate and authentication session between the cardholder and the card issuer in which transaction details such as Merchant name and transaction amount may also be presented to the cardholder for confirmation.    (5) The issuing bank will then populate an authentication window to the cardholder detailing information related to the transaction such as Merchant name and amount, a personal security message, and a response area where authentication details can be entered by the cardholder.    (6) The customer approves the transaction in one of a variety of ways, depending on how the issuing bank chooses to implement the system. Options may range from entering a static password or PIN to utilizing a smart card and a Personal Card Reader (PCR) to generate an authentication token.    (7) If the authentication is valid, the issuer sends a message to the merchant indicating the transaction was successful. The issuer also notifies the merchant if the authentication failed or was unable to be completed.
Consideration is now being given to ways of enhancing solutions for authenticating customers, who use credit cards or debit cards for payment in electronic transactions. Attention is directed to solutions for securing the merchant 's Internet sales channel by authenticating the cardholder at the point-of-interaction (POI) and to generating explicit evidence of the presence of both the card and the cardholder at the POI. The desirable solutions should be compatible with industry implementations of common protocols like 3-D Secure and other industry standards such as the EMV standard for smart cards to strength authentication beyond simple and static passwords or PINs.